Booking.com Phishing Campaign Targeting Hotels and Customers
Essential information
- Published
- 13/01/2026 19:46
- Modified
- 14/01/2026 11:12
- Tags
- 2025-11-07 2026-01-13 booking.com clickfix credential-theft cybercrime hospitality phishing purerat social engineering
- Related entities
- 56 observables, 20 techniques (mitre), 1 malware, 67 others
Description
A sophisticated phishing campaign targeting the hospitality industry has been uncovered, compromising hotel administrators' Booking.com accounts to defraud customers. The attack chain begins with spear-phishing emails impersonating Booking.com, leading to malware infection via the ClickFix social engineering tactic. The malware, identified as PureRAT, allows attackers to steal credentials and access booking platforms. Compromised accounts are then used to send fraudulent messages to hotel guests, tricking them into paying for their reservations a second time. The cybercrime ecosystem supporting these attacks includes services for harvesting hotel administrator contacts, distributing phishing emails, and trading stolen Booking.com account credentials on underground forums.